Day Pitney’s Healthcare Law Blog provides regular updates on issues affecting all aspects of the healthcare industry. In this era of ever-increasing regulation, we monitor healthcare news and developments from all federal and state agencies, as well as significant court decisions and public policy initiatives. We cut through the jargon and give our clients and other readers what they need to know in a concise, no-nonsense style to save them time while helping them stay informed.

The U.S. Department of Health and Human Services (HHS) last week announced a settlement with the Center for Children’s Digestive Health (CCDH), a small pediatric digestive health practice, for providing protected health information (PHI) to a document storage company without requiring the storage company to execute a business associate agreement (BAA) as required under the HIPAA Privacy Rule.

The HHS Office for Civil Rights (OCR) initiated a compliance review of CCDH when an investigation relating to the improper disposal of patient records by the storage company, FileFax, Inc., revealed a relationship with CCDH. Instead of disposing of unneeded records containing PHI in a secure manner (for example, by shredding them), FileFax left the records in an unlocked outdoor dumpster. Although CCDH began disclosing PHI to FileFax for storage purposes in 2003, the parties could only produce a BAA executed on October 12, 2015.

The Resolution Agreement requires CCDH to pay a fine of $31,000 and implement a corrective action plan which will include a process for establishing whether a party is a business associate under HIPAA. While the amount of the settlement is relatively small, the case serves to underscore that all covered entities, regardless of size, will face consequences if they fail to obtain written assurances that a business associate will safeguard PHI.